CVE-2023-38545 - Heap Buffer Overflow in cURL’s SOCKS5 Proxy Handshake
Contents:
Overview
In October 2023, a serious security flaw was disclosed in cURL, a command-line tool and library used by millions worldwide to transfer data with URLs. The vulnerability, registered as CVE-2023-38545, affects how cURL handles SOCKS5 proxy handshakes, making it possible for an attacker to trigger a heap-based buffer overflow.
This article explains what happened, why it matters, and how attackers could abuse it, including real code snippets and links to the original advisory.
How the Vulnerability Works
cURL can use a SOCKS5 proxy to connect to a destination server. Normally, if you request a URL through a SOCKS5 proxy, you can tell cURL whether to let the proxy resolve the hostname or have cURL do it.
If the hostname is 255 bytes or less, cURL will pass the name directly to the proxy.
- If the hostname is longer than 255 bytes, cURL is supposed to resolve it itself and pass only the resulting IP address to the proxy.
But due to a bug, if you use a very long hostname (over 255 bytes), and during a slow SOCKS5 handshake, cURL can mistakenly set a local flag incorrectly. Instead of passing only the resolved address to the proxy, it copies the long hostname—straight from the user-supplied URL—into a heap buffer not big enough for it. That causes a heap buffer overflow.
Because the heap buffer lives in memory, if you control the hostname (e.g., via a crafted URL), you might be able to overwrite adjacent memory and potentially execute code.
Here’s a simplified illustration. Note how cURL handles the SOCKS5 connection setup
#define MAX_HOSTNAME_LEN 255
void socks5_connect(const char *hostname) {
char target_buffer[256]; // only 256 bytes for hostname or IP
bool remote_resolve = strlen(hostname) <= MAX_HOSTNAME_LEN;
/* Bug: under certain slow handshake conditions, remote_resolve might be wrong */
if (remote_resolve) {
/* Copy the hostname (from user) into buffer */
strcpy(target_buffer, hostname);
} else {
/* Resolve and copy IP */
strcpy(target_buffer, resolve(hostname));
}
// ...continue with SOCKS5 handshake using target_buffer
}
In the vulnerable case, hostname longer than 255 bytes is copied into a 256-byte heap buffer, overflowing it.
Attackers could exploit this by making cURL connect to a URL like
socks5h://AAAAAAAA...AAAA@target.com
Where AAAA...AAAA is a string over 255 characters.
How an exploit may look
1. Craft a malicious URL with an overlong hostname (such as from a web link or user-supplied input).
2. cURL is invoked with this URL and asked to use a SOCKS5 proxy (socks5h://).
User-controlled data (the hostname) is written beyond the buffer boundary.
5. With additional heap manipulation, the attacker might be able to control adjacent memory leading to code execution, data leaks, or a crashed process.
Example command
curl --socks5-hostname 127...1:108 http://$(python3 -c 'print("A"*300)').example.com
Who is Vulnerable?
- You’re vulnerable if you use cURL 7.69. to 8.3. with the socks5h:// protocol and allow arbitrary hostnames.
Fixes
- Update to cURL 8.4. or later.
- See official advisory for patch details.
Workarounds
- Avoid using the socks5h:// protocol with untrusted hostnames.
References
- Official cURL CVE-2023-38545 Advisory
- NIST CVE-2023-38545 Entry
- cURL Source Code & Releases
- Security Researchers’ Writeup
Summary
CVE-2023-38545 is a serious heap buffer overflow vulnerability in cURL’s SOCKS5 handshake logic, allowing attackers to overflow a buffer with user-controlled data by passing a hostname longer than 255 bytes. The issue is fixed in newer cURL versions—make sure you update! If you build tools or services on top of cURL, be aware of this bug and follow secure update practices.
Timeline
Published on: 10/18/2023 04:15:00 UTC
Last modified on: 10/28/2023 03:15:00 UTC